Updated June 26, 2023
In the face of expanding regulatory requirements and heightened consumer expectations, companies can no longer afford to ignore privacy issues and protecting customer data.
New privacy requirements are mandated under the California Privacy Rights Act (CPRA) as well as Europe’s General Data Protection Regulation (GDPR), and mandates may be added under similar legislation being debated in many other U.S. states.
Beyond the regulatory requirements, however, creating and demonstrating effective privacy policies and practices can pay tremendous dividends by increasing consumer trust in your company and its professionals, and helping you avoid potential privacy-related fines.
In broad terms, the CPRA grants consumers rights that include the ability to ask:
The legislation also gives consumers the right to request that a company stop sharing any personal information related to them, as well as to delete any personal information it may be storing.
Because the California law extends privacy protections to the residents of that state, regardless of where the business is located, many companies are likely to have compliance requirements that they may not be aware of.
Similarly, the GDPR restricts how companies, regardless of location, can collect, use, store and share personal data related to customers in the European Union without their consent. Companies must disclose the data they are collecting and how they plan to use and store it and provide an ability for consumers to request the deletion of their personally identifiable data.
Any U.S. company doing business in Europe needs to be aware of, and comply with, GDPR requirements and practices.
In addition to GDPR and California’s landmark CPRA, 28 other states had adopted (or were debating) a variety of privacy-related laws as of August 2021. The growing regulatory focus on data protection is especially relevant for real estate, given the industry’s increasingly tech-reliant posture. As new technology platforms transform the real estate industry, the volume of customer and transaction data is exploding — as is the need for real estate companies to maintain effective privacy protections.
One example of the new legislation is in New York City, which passed a law restricting landlords and property managers from using data related to keyless entry cards to limited uses such as granting access to a building or a common area. Companies must only use the minimum data required to control access and must encrypt that data and follow strict guidelines for data removal, deletion and anonymization. Violations can result in regulatory fines or private litigation.
Despite privacy concerns, property management firms have legitimate reasons to collect and analyze the rich supply of data keyless card systems can offer about how facilities and amenities are being used. For instance, understanding how many people are in hallways or other common areas at different times of the day can provide insights into when heating and air-conditioning systems can be adjusted to increase efficiency.
This data, however, needs to be anonymized to ensure the keyless entry system is not tracking tenants or guests as they move around the property. It can be useful for a property manager to understand how many people are coming and going from a building or a garage in the overnight hours, but they need to store and analyze this data without tracking specifically who those people are.
Privacy and data protection are relatively new considerations for real estate companies, despite the tremendous amount of personally identifiable consumer information they accumulate in the course of business. Depending on which sector your company is involved with, this can include personal and financial data related to investors, current and prospective tenants, property owners and other stakeholders.
The real estate industry also has some other factors that can increase privacy-related risks. For instance, the industry specializes in completing complex transactions quickly, and up until now privacy considerations haven't been major factors in this process.
In addition, many real estate firms are independently owned and have a regional focus, with many professionals mistakenly believing their firm is not large enough to trigger privacy law compliance requirements. Real estate firms also often have lean staffing levels that increase agility but can leave privacy requirements unattended.
Companies in all sectors of the industry need to meet changing consumer expectations, as well. Consumers are increasingly attuned to their privacy rights and are more willing to question the types of information companies collect and how they use it.
Some common privacy-related oversights within the real estate industry include:
In addition to protecting electronic records, you have to ensure adequate protection for your physical documents. Although real estate transactions generate less paper than they used to, most companies still have large volumes of documents that need to be safeguarded against unauthorized access.
Technology has infused nearly every process in real estate sales, leasing, financing and property management. For instance, if a consumer conducts a basic property search online and enters their contact and financial information to learn more about the property or their financing options, that inquiry will likely trigger a preliminary credit analysis — and the sale of their information to local agents and lenders who have business relationships with the property-search platform.
Each company that receives the consumer’s information needs to have policies and practices to mitigate the risk of that data being accessed inappropriately and the company facing potential regulatory inquiries and fines. At a minimum, real estate companies need to understand:
Applying “privacy by design” principles as corporate policies are developed will help ensure that data is obtained only for business purposes, your company doesn’t collect data it doesn’t need, the data has appropriate privacy security controls, and that data is disposed of properly after its useful life.
Real estate companies also have to be sure their data retention policies are aligned with their business needs. For example, a hotel may only need to store guest information for six to 12 months, unless the guest opts into receiving marketing campaigns. In contrast, a company managing apartment complexes will want to retain lessee data for the duration of the tenancy.
Similarly, real estate funds need to store personal and financial data about current investors but may need to archive or discard information related to former clients and former investors, in alignment with the company’s retention policy. (It’s important for funds to check with legal counsel about record retention requirements in the jurisdictions where their clients reside.)
You also need to understand the privacy practices and policies of your vendors and other business partners to ensure regulatory compliance as well as minimizing potential liability stemming from the misuse of data by a business partner.
Outsourcing is common in the real estate industry, but you can’t pass along the associated regulatory compliance requirements to your partners. Even if an organization is storing customer data on behalf of your company, for instance, you retain the ultimate liability for any breaches or other unsuitable privacy practices.
Given this risk, it’s important to discuss privacy and data security compliance when negotiating contracts with outsourcing providers, and to review their privacy and security practices on a regular basis.
Understanding and mitigating the rapidly growing risks around privacy in the real estate industry is a critical priority to avoid potential costs and reputational damage for your business. Contact the Data Privacy experts at Armanino to learn how you can achieve regulatory compliance and manage the full spectrum of real estate privacy concerns, including Cybersecurity Consulting services to help you protect sensitive client data.
